mirror
/
c9-core
kopia lustrzana https://github.com/c9/core
1
0
Forkuj 0
Kod Zgłoszenia Packages Projekty Wydania Wiki Aktywność

no need to compromise security. We have the code in the cookie

pull/295/merge
Fabian Jakobs 2016-05-31 14:52:03 +00:00
rodzic 290550f86e
commit 09736fa7bb
2 zmienionych plików z 12 dodań i 12 usunięć
Pokaż statystyki Ściągnij plik aktualizacji Ściągnij plik porównania Expand all files Collapse all files

19
plugins/c9.preview/preview.handler.js
Wyświetl plik

@ -31,7 +31,8 @@ define(function(require, exports, module) {
var cookieName = options.session.prefix + ".sso"; var cookieName = options.session.prefix + ".sso";
var secret = options.session.secret; var secret = options.session.secret;
req.session = { req.session = {};
req.user = {
uid: -1 uid: -1
}; };
@ -45,9 +46,7 @@ define(function(require, exports, module) {
return next(err); return next(err);
} }
req.session = { req.user = user;
uid: user.id
};
next(); next();
}); });
} else { } else {
@ -60,7 +59,7 @@ define(function(require, exports, module) {
var roleCache = new Cache(10000, 10000); var roleCache = new Cache(10000, 10000);
return function(req, res, next) { return function(req, res, next) {
var key = req.params.username + "/" + req.params.projectname + ":" + req.session.uid; var key = req.params.username + "/" + req.params.projectname + ":" + req.user.id;
var wsSession = roleCache.get(key); var wsSession = roleCache.get(key);
if (wsSession) { if (wsSession) {
@ -77,13 +76,13 @@ define(function(require, exports, module) {
if (err) return next(err); if (err) return next(err);
project.getRole(req.session.uid, function(err, role) { project.getRole(req.user.id, function(err, role) {
if (err) return next(err); if (err) return next(err);
var wsSession = { var wsSession = {
role: role, role: role,
pid: project.id, pid: project.id,
uid: req.session.uid, uid: req.user.id,
type: project.scm type: project.scm
}; };
@ -127,7 +126,7 @@ define(function(require, exports, module) {
var role = req.projectSession.role; var role = req.projectSession.role;
if (role == db.Project.ROLE_NONE) { if (role == db.Project.ROLE_NONE) {
if (req.session.uid == -1) if (req.user.id == -1)
return next(new error.Unauthorized()); return next(new error.Unauthorized());
else else
return next(new error.Forbidden("You don't have access rights to preview this workspace")); return next(new error.Forbidden("You don't have access rights to preview this workspace"));
@ -154,7 +153,7 @@ define(function(require, exports, module) {
server = req.projectSession.vfsServer = server.internalUrl || server.url; server = req.projectSession.vfsServer = server.internalUrl || server.url;
} }
var url = server.replace(/\/vfs$/, "/internal/vfs/") + req.session.uid + "/" + req.projectSession.pid + "/preview"; var url = server + "/" + req.projectSession.pid + "/preview";
req.proxyUrl = url; req.proxyUrl = url;
next(); next();
@ -166,6 +165,8 @@ define(function(require, exports, module) {
var path = req.params.path; var path = req.params.path;
var url = req.proxyUrl + path; var url = req.proxyUrl + path;
if (req.user.code)
url += "?access_token=" + encodeURIComponent(req.user.code);
var parsedUrl = parseUrl(url); var parsedUrl = parseUrl(url);
var httpModule = parsedUrl.protocol == "https:" ? https : http; var httpModule = parsedUrl.protocol == "https:" ? https : http;

1
plugins/c9.preview/preview.js
Wyświetl plik

@ -20,7 +20,6 @@ define(function(require, exports, module) {
var handler = imports["preview.handler"]; var handler = imports["preview.handler"];
var userContent = imports["user-content.redirect"]; var userContent = imports["user-content.redirect"];
var getVfsServers = imports["vfs.serverlist"].getServers; var getVfsServers = imports["vfs.serverlist"].getServers;
var ratelimit = require("c9/ratelimit");
var frontdoor = require("frontdoor"); var frontdoor = require("frontdoor");
var error = require("http-error"); var error = require("http-error");